Europe’s push to assert “sovereignty” over technology is starting to take shape around the question of data, and who controls it.
While the bloc remains a proponent of free trade, new rules due to be unveiled in coming weeks propose restricting the flow of certain types of data out of the bloc — a concept known as data localization.
An advance look at the proposals, obtained by POLITICO, shows the upcoming Data Governance Act aims to create new infrastructure for sharing sensitive data between individuals and public agencies, which the Commission hopes will create a “single market” for data.
The idea would let public hospitals pool data on their fight against COVID-19, or let patients donate data voluntarily for scientific research.
But the rules propose that the processing of public sector data “should be limited to the European Union.”
Internal Market Commissioner Thierry Breton, a former tech CEO in France, has been the EU executive’s most vocal backer of the bloc holding on to more of its digital information, arguing that it will boost tech independence and help foster homegrown champions.
“European data should be stored and processed in Europe because they belong in Europe. There is nothing protectionist about this,” he told POLITICO in September.
Breton’s push was bolstered by the EU’s top court stricking down Brussels’ transatlantic data flows deal with the U.S., called Privacy Shield, in July because of fears over privacy.
The landmark ruling also cast legal uncertainty over all transfers of data out or Europe that has yet to be cleared up — leading some lawyers to advise clients to store more data in Europe and regulators to call for data stored in the U.S. to be relocated to Europe.
Restrictions on data flows are not the only rules in the act that indicate Europe’s changing tack. The proposal includes requirements for providers of “data sharing services” and companies engaged in collecting data for “data altruism activities” to be legally established in the EU or EEA.
The proposal — overseen by Breton’s office — is the clearest indication yet of the French commissioner’s influence on Europe’s strategic priorities, but many don’t agree with his Europe-first approach, including officials in the Commission.
Justice Commissioner Didier Reynders, who oversees a portfolio that includes data protection and data flows, distanced himself from data localization, as has the bloc’s digital chief Margrethe Vestager, who told a POLITICO event this month it was “important that data can travel, into and out of the union.”
In September, Ralf Sauer, a key data flows official in the Commission, said he did not believe that the end of the Privacy Shield agreement will “usher in a new era of data localization.”
“[Our stance] has not changed with the judgment, we believe in free data flows,” Sauer said.
Restrictions on data flows could affect billions of euros worth of digital trade, and U.S. officials and companies in particular have reacted with alarm to Breton’s stance on data. Speaking at the same event as Sauer, James Sullivan, a key U.S. negotiator for a revived U.S.-EU data flows deal, said vocal backing of data sovereignty in Brussels was not helpful in keeping transatlantic data flows alive.
“In months since [the] decision … calls for data localization and sovereignty from within the Commission have added to the uncertainty,” he said.
Top privacy regulators have also looked to assuage concerns that Europe is about to take a protectionist turn. Anna Buchta, a lawyer for the EU’s data protection authority EDPS, said this month that the regulator “would not support a general trend towards data localization” — echoing the agency’s chief Wojciech Wiewiórowski’s insistence that he wasn’t “keen” on the idea.
Laura Kayali contributed reporting.